Even with the most advanced technology, the most effective security systems, and best-planned preventative controls, a company’s data will still be at some risk. New and sophisticated cyber-attacks are created every day, with threats coming from profit-motivated criminals, hackers with various agendas, unscrupulous competitors, and even foreign governments.
So perfection is not a possible option. BUT…and here’s the good news: you can get very close.
But you have to approach your cyber-security in an intelligent and systematic way, implementing a strategic array of countermeasures that protect multiple points of vulnerability for your business (e.g., network, servers, desktops, and smartphones). Implemented correctly, you can greatly reduce your security risk to the point that you can feel confident that you can prevent security breaches.
For most organizations, this goal requires an increased level of dedication to security. After all, small and midsize companies typically have few or no resources dedicated to information security. Most of these organizations don’t even have a way of determining how much sensitive information is stored on their systems. And while most businesses do know they need anti-malware tools and a firewall, they don’t fully understand how comprehensive their security measures need to be.
There are 10 key areas that we advise businesses to focus on in order to mitigate information security risks:
1. Security Awareness Training
This is one of the areas companies ignore…at their peril. No, it’s not high-tech. No, it’s not sexy. But security awareness training has the greatest security ROI and highest security impact. It’s true.
Most security breaches actually originate inside companies by disgruntled or negligent employees.
So, what should you do? Educate everyone in your company so they can help identify a variety of security risks.
For example, employees should be able to spot and identify email phishing and spoofing attacks. They should also be trained not to store, send or copy sensitive information that’s unencrypted. And they should know not to share sensitive information over the phone unless they are 100% sure of the audience.
Again, our #1 advice to mitigate your security risk: train employees on security policies and practices. And make sure to revisit the issues and retrain at least yearly (sooner if you can).
2. Anti-Virus & Anti-Malware Protection
Virus outbreaks make the news (like the recent Flame virus), so most people know they should have anti-virus and other malware protection for their personal computers. And most people assume businesses are protected. Often they are not. Or at least not adequately protected.
Malware infections can hit your bottom line hard. They can cause fraud, loss of data, identity theft, or decreased companywide productivity due to slow or unusable computers.
Businesses are increasingly adopting an “endpoint security” strategy to combat malware threats. Endpoint security is an information security concept that means that each device (or endpoint) on a network should be responsible for and capable of providing for it’s own security.
Whatever your anti-malware solution, it should scan email for attached viruses, monitor files in real time for infections, and perform thorough scans of every file.
3. Data Encryption
Encrypted data isn’t any less likely to be stolen by hackers or other intruders. But data encryption is still a powerful part of your business’s information security. Encryption protects your data even after it has been accessed. Once it is encrypted, your business data is worthless to the bad guys and remains protected. They would need the encryption key to read your data. So we advise all businesses to encrypt data in case it is compromised or lost (employees leaving unencrypted laptops at airports or coffee shops has caused some serious data breaches).
4. Access Controls
Your business should not be a free-for-all for your employees. When everyone has access to everything, your information security is at risk. For increased security, only give employees (and partners) access to the data they need. This includes both physical and logical access. A good strategy is to start by granting the least privilege. You can then escalate privileges to allow access to unauthorized data on an as-needed basis.
Patching is essential to minimizing the risk to your computer systems. Patches are often released to fix security holes in systems and applications. Make sure you keep all operating systems and applications you run patched. Install the latest firmware updates on all network devices.
6. Mobile Devices
Laptops, smartphones, and tablets have increased the productivity and mobility of today’s workforce. But along with that productivity comes vulnerability. Lost or stolen laptops and other mobile devices are the top cause of data breaches. We recommend you manage endpoints centrally to allow your security policies to be easily deployed. You should also enable auto-lock or require a password to access all devices.
EarthLink Business offers managed laptop security services to address these risks.
Knowledge is power. In the security realm, monitoring is the knowledge you need to be confident you have powerful protection. Make sure your business is set up to monitor systems and network devices for any abnormalities.
Deploy a SIEM (security incident & event management) that correlates logs form all levels of infrastructure – network, systems, and user activity. Don’t just block activity at a firewall or IPS. Log it, review it and learn from it. Attackers are finding new ways to expose networks. Know what is happening so you can continue to address it.
You should also install content filtering to monitor user activity from within your business. The most common form of employee misuse of the Internet is to surf porn. Another co-worker witnessing this misuse of your company resources can result in legal action and a monetary judgment against your company. Employees also often download or email viruses, causing security breaches. So it is imperative that you need to monitor what your users are doing on the Web.
A firewall is the first line of defense against any attack (network or host). It acts a barrier between a public network and a private network.
EarthLink offers managed firewalls that are designed to allow good traffic in and to keep malicious traffic out. A majority of firewall breaches are caused by the misconfiguration of firewall rules and policies.
9. Remote Backup
Backup is one of the most neglected areas of computing and therefore typically one of the biggest opportunities your business has to mitigate risk. Why? Because stuff happens. All the time.
Theft, floods, fires, tornadoes, hurricanes, and other unforeseen occurrences can cause large amounts of data loss that can cripple your business.
Often, businesses invest in securing data from hackers or malware, but then the data is physically destroyed by natural causes. If the data doesn’t exist, securing it from outside threats doesn’t matter.
That’s why it’s so important to backup your company’s data to an remote location so data will be retained in the event of a disaster at your main location.
10. Security Assessments & Penetration Testing
To secure your business you must stay vigilant. There are always bad guys looking for the next way to compromise your business’s information. So you have to perform annual or, better, quarterly vulnerability assessments to identify new risks. The ever-changing security environment is always creating new risks. Identify the new risks that apply to your business and fix them before someone else finds them.
We also recommend that all businesses have a formal Information Security Risk Assessment done every three years, which is the life cycle of most products these days.
If you need more information on security for your business, contact us and one of our IT experts can help you ensure your data is as secure as possible.